Add inline YAML decrypting

Signed-off-by: Sylvain Rabot <sylvain@abstraction.fr>
kubernetes-sigs · Dec 8, 2020 · a673c4b · a673c4b
1 parent fd90605
commit a673c4b
Show file tree

Hide file tree

Showing 5 changed files with 66 additions and 5 deletions.
diff --git a/.gitignore b/.gitignore
@@ -4,6 +4,7 @@
 *.dll
 *.so
 *.dylib
+./kustomize/kustomize
 
 .vscode
 .idea

diff --git a/api/go.mod b/api/go.mod
@@ -13,10 +13,11 @@ require (
 	github.com/hashicorp/go-multierror v1.1.0
 	github.com/pkg/errors v0.8.1
 	github.com/stretchr/testify v1.4.0
+	github.com/sylr/go-yaml-crypto/age v0.0.0-20201205002908-db238efadb23 // indirect
 	github.com/yujunz/go-getter v1.5.1-lite.0.20201201013212-6d9c071adddf
 	golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e
 	gopkg.in/yaml.v2 v2.3.0
-	gopkg.in/yaml.v3 v3.0.0-20200121175148-a6ecf24a6d71
+	gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776
 	k8s.io/api v0.17.0
 	k8s.io/apimachinery v0.17.0
 	k8s.io/client-go v0.17.0

diff --git a/api/go.sum b/api/go.sum
@@ -407,6 +407,9 @@ github.com/stretchr/testify v1.2.3-0.20181224173747-660f15d67dbb/go.mod h1:a8OnR
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/sylr/go-yaml-crypto v0.0.0-20201205002908-db238efadb23 h1:TPWpYutL+kO1c4DJQYK1m2zi2u1+h8BOhqPC7Q4ft0o=
+github.com/sylr/go-yaml-crypto/age v0.0.0-20201205002908-db238efadb23 h1:jzfjgoMWH6mQkDEV+cr2GIp3pSZYYEf6+1Ahm0/lRyw=
+github.com/sylr/go-yaml-crypto/age v0.0.0-20201205002908-db238efadb23/go.mod h1:XMtsWLkPlU/RvthcyAjTOWNxEii2AfnOEuX/SdRRd1o=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 github.com/timakin/bodyclose v0.0.0-20190930140734-f7f2e9bca95e h1:RumXZ56IrCj4CL+g1b9OL/oH0QnsF976bC8xQFYUD5Q=
 github.com/timakin/bodyclose v0.0.0-20190930140734-f7f2e9bca95e/go.mod h1:Qimiffbc6q9tBWlVV6x0P9sat/ao1xEkREYPPj9hphk=
@@ -577,6 +580,8 @@ gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200121175148-a6ecf24a6d71 h1:Xe2gvTZUJpsvOWUnvmL/tmhVBZUmHSvLbMjRj6NUUKo=
 gopkg.in/yaml.v3 v3.0.0-20200121175148-a6ecf24a6d71/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 h1:tQIYjPdBoyREyB9XMu+nnTclpTYkz2zFM+lzLJFO4gQ=
+gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3 h1:3JgtbtFHMiCmsznwGVTUWbgGov+pVqnlf1dEJTNAXeM=

diff --git a/api/kv/kv.go b/api/kv/kv.go
@@ -21,6 +21,9 @@ import (
 
 	"sigs.k8s.io/kustomize/api/ifc"
 	"sigs.k8s.io/kustomize/api/types"
+
+	yamlcryptoage "github.com/sylr/go-yaml-crypto/age"
+	"gopkg.in/yaml.v3"
 )
 
 var utf8bom = []byte{0xEF, 0xBB, 0xBF}
@@ -78,6 +81,8 @@ func (kvl *loader) getAgeIdentities(sources []string) ([]age.Identity, error) {
 	var ids []age.Identity
 	if len(sources) > 0 {
 		for _, path := range sources {
+			// TODO(sylr): use a less restrictive loader. identities should come
+			// from anywhere, at least up to PWD.
 			content, err := kvl.ldr.Load(path)
 			if err != nil {
 				return nil, err
@@ -120,6 +125,38 @@ func decryptValueWithAge(value []byte, ids []age.Identity) ([]byte, error) {
 	return value, nil
 }
 
+func decryptInlineYAMLWithAge(value []byte, ids []age.Identity) ([]byte, error) {
+	if len(ids) == 0 {
+		return value, nil
+	}
+
+	in := bytes.NewBuffer(value)
+
+	node := yaml.Node{}
+	w := yamlcryptoage.Wrapper{
+		Value:      &node,
+		Identities: ids,
+	}
+
+	decoder := yaml.NewDecoder(in)
+	err := decoder.Decode(&w)
+
+	if err != nil {
+		return value, err
+	}
+
+	out := new(bytes.Buffer)
+	encoder := yaml.NewEncoder(out)
+	encoder.SetIndent(2)
+	err = encoder.Encode(&node)
+
+	if err != nil {
+		return value, err
+	}
+
+	return out.Bytes(), nil
+}
+
 func keyValuesFromLiteralSources(sources []string, ids []age.Identity) ([]types.Pair, error) {
 	var kvs []types.Pair
 	for _, s := range sources {
@@ -129,11 +166,16 @@ func keyValuesFromLiteralSources(sources []string, ids []age.Identity) ([]types.
 		}
 		if strings.HasSuffix(k, ".age") {
 			k = strings.TrimRight(k, ".age")
-			content, err := decryptValueWithAge([]byte(v), ids)
-			v = string(content)
+			content := []byte(v)
+			if strings.HasSuffix(k, ".yaml") || strings.HasSuffix(k, ".yml") {
+				content, err = decryptInlineYAMLWithAge(content, ids)
+			} else {
+				content, err = decryptValueWithAge(content, ids)
+			}
 			if err != nil {
 				return nil, err
 			}
+			v = string(content)
 		}
 		kvs = append(kvs, types.Pair{Key: k, Value: v})
 	}
@@ -153,7 +195,15 @@ func (kvl *loader) keyValuesFromFileSources(sources []string, ids []age.Identity
 		}
 		if strings.HasSuffix(fPath, ".age") {
 			k = strings.TrimRight(k, ".age")
-			content, err = decryptValueWithAge(content, ids)
+
+			if (strings.HasSuffix(k, ".yaml") || strings.HasSuffix(k, ".yml")) &&
+				!bytes.HasPrefix(content, []byte(armor.Header)) {
+				// If key has .yaml or .yml extension and has no age armor header
+				// then we try inline decrypting of the file.
+				content, err = decryptInlineYAMLWithAge(content, ids)
+			} else {
+				content, err = decryptValueWithAge(content, ids)
+			}
 			if err != nil {
 				return nil, err
 			}
@@ -171,7 +221,7 @@ func (kvl *loader) keyValuesFromEnvFiles(paths []string, ids []age.Identity) ([]
 			return nil, err
 		}
 		if strings.HasSuffix(p, ".age") {
-			content, err = decryptValueWithAge([]byte(p), ids)
+			content, err = decryptValueWithAge(content, ids)
 			if err != nil {
 				return nil, err
 			}

diff --git a/kustomize/go.sum b/kustomize/go.sum
@@ -413,6 +413,8 @@ github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJy
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/sylr/go-yaml-crypto/age v0.0.0-20201205002908-db238efadb23 h1:jzfjgoMWH6mQkDEV+cr2GIp3pSZYYEf6+1Ahm0/lRyw=
+github.com/sylr/go-yaml-crypto/age v0.0.0-20201205002908-db238efadb23/go.mod h1:XMtsWLkPlU/RvthcyAjTOWNxEii2AfnOEuX/SdRRd1o=
 github.com/tidwall/pretty v1.0.0 h1:HsD+QiTn7sK6flMKIvNmpqz1qrpP3Ps6jOKIKMooyg4=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 github.com/timakin/bodyclose v0.0.0-20190930140734-f7f2e9bca95e/go.mod h1:Qimiffbc6q9tBWlVV6x0P9sat/ao1xEkREYPPj9hphk=
@@ -598,6 +600,8 @@ gopkg.in/yaml.v3 v3.0.0-20200121175148-a6ecf24a6d71 h1:Xe2gvTZUJpsvOWUnvmL/tmhVB
 gopkg.in/yaml.v3 v3.0.0-20200121175148-a6ecf24a6d71/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 h1:tQIYjPdBoyREyB9XMu+nnTclpTYkz2zFM+lzLJFO4gQ=
+gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=